当前位置: 文江博客话题详情

如何强制 maven-gpg-plugin 使用主 gpg 密钥而不是子密钥?

发布于 2024-11-27 02:46:40 字数 286 浏览 0 评论 0原文

我有一个带有子密钥的 GPG 公钥。当我尝试在发布过程中对 Maven 工件进行签名时,插件使用子密钥而不是主密钥进行签名。

在这里查看插件的文档: http://maven.apache.org/plugins/maven-gpg -plugin/sign-mojo.html

我没有看到明显的属性来设置来控制使用哪个键。这个可以控制吗?

原文

I have a GPG public key with a sub key. When I attempt to sign my Maven artifacts as part of the release process, the plugin is signing with the sub key instead of the main key.

Looking at the docs for the plugin here:
http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html

I do not see an obvious property to set to control which key is used. Is it possible to control this?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

梦旅人picnic 2024-12-04 02:46:40

在邮件列表上询问了一些问题后,看来我并不是唯一遇到此问题的人。

就我而言,我使用 Mac 上的 GPG Keychain Access UI 创建了密钥对。使用相同工具创建密钥的其他用户也报告了 Maven 的相同问题。

无论出于何种原因,当您使用该 UI 创建密钥对时,它不仅会创建顶级密钥,还会创建子密钥。当您使用命令行工具创建新密钥对时,不会发生这种情况。

所以我进入命令行,撤销子项,一切开始工作。

我不确定根本问题是否与 GPG KeyChain Access UI 创建密钥的方式有关,或者是否是 Maven 插件读取密钥的方式。

After asking some questions on mailing lists, it appears I wasn't the only one with this issue.

In my case, I had created my key pairs using GPG Keychain Access UI on my Mac. Other users who had used the same tool to create their keys also reported the same issue with Maven.

For whatever reason, when you create a key pair using that UI it creates not only a top level key but also a sub key. This doesn't happen when you use the command line tools to create a new keypair.

So I went to the command line, revoked the subkey and everything started to work.

I am not sure if the underlying issue is with the way the GPG KeyChain Access UI creates keys, or if it is the way the maven plugin reads keys though.

回复 原文
北座城市 2024-12-04 02:46:40

太长了;您可以通过删除或撤销子项来控制它。建议撤销。

--

例如,此 sonatype 问题对此进行了讨论。此外,它不仅影响 UI - 我在 Windows 7 上使用 gpg4win 和命令行创建了我的密钥密钥生成同时生成了 pub 和 subkey:

> gpg --gen-key

> gpg --list-keys

pub   2048R/xxxxxxxx 2014-12-18
uid       
sub   2048R/yyyyyyyy 2014-12-18

评论说您有两个选择:

您将需要删除子密钥,然后再次签名、部署

..

我撤销了密钥(没有删除它)并且效果也很好。

该问题中的评论说 该文档已根据说明进行更新,但链接不再有效。通过使用一些页面缓存,我能够挽救内容,内容如下:

删除子项

某些 PGP 工具默认生成子签名密钥并将其用于
签名而不是使用主密钥。如果你使用的话这是一个问题
它用于签署工件并将工件部署到中央存储库,
因为 Nexus 无法从签名中获取主密钥 ID
由子密钥生成,因此无法导入公钥,并且将
无法验证工件。修复方法是删除子签名密钥
所以PGP将使用主密钥进行签名。

要了解您是否拥有子签名密钥,请运行下面的命令
使用您自己的密钥 ID:

$ gpg --编辑密钥 A6BAB25C

gpg (GnuPG/MacGPG2) 2.0.17; Copyright (C) 2011 Free Software
Foundation, Inc. This is free software: you are free to change and
redistribute it. There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/A6BAB25C  created: 2011-08-31  expires: 2012-06-26  usage: SC
                       trust: ultimate      validity: ultimate
sub  2048R/DD289F64  created: 2011-08-31  expired: 2011-09-30  usage: E
sub  2048R/8738EC86  created: 2011-12-19  expires: 2012-06-16  usage: S
[ultimate] (1). Juven Xu (for testing) <[email protected]>

从上面的例子可以看出,这个键有2个带ID的子键
DD289F64 和 8738EC86。输出还显示创建时间和
过期时间。这里重要的是用法:E 代表
加密所以子密钥DD289F64仅用于加密,S代表
用于签名,因此子密钥 8738EC86 仅用于签名。如果初级
密钥有一个S子密钥,它将使用它来签名,否则它自己会
做签约工作。所以我们要删除子密钥8738EC86。

首先选择我们要删除的子键,因为它的索引是2
(索引从0开始),我们运行命令:

gpg>关键2

pub  2048R/A6BAB25C  created: 2011-08-31  expires: 2012-06-26  usage: SC
                       trust: ultimate      validity: ultimate
sub  2048R/DD289F64 created: 2011-08-31  expired: 2011-09-30  usage: E
sub* 2048R/8738EC86 created: 2011-12-19  expires: 2012-06-16  usage: S
[ultimate] (1). Juven Xu (for testing) <[email protected]>

从输出中可以看到,子密钥 8738EC86 标有 *。
现在删除它:

gpg>德尔基

Do you really want to delete this key? (y/N) y

pub  2048R/A6BAB25C  created: 2011-08-31  expires: 2012-06-26  usage: SC
                       trust: ultimate      validity: ultimate
sub  2048R/DD289F64  created: 2011-08-31  expired: 2011-09-30  usage: E
[ultimate] (1). Juven Xu (for testing) <[email protected]>

提示如果您已经分发了公钥,最好
撤销子签名密钥而不是删除它,尽管无论哪种方式
您可以将主密钥作为签名密钥。参见 GNU
隐私手册,了解删除和撤销之间的区别。到
撤销子密钥,使用 gpg>; revkey 而不是 gpg>德尔基。

是啊! 8738EC86 不再列出,最后一步是保存我们的
更改:

gpg>保存

就是这样!现在您可以通过签署文件来测试更改,然后
验证一下。输出应包含类似以下内容:

gpg:使用 *** 密钥 ID 进行签名 *************************
[您的主密钥 ID]

因此,对我来说,实际步骤是

gpg --edit-key PRIMARYKEYID
key 1
revkey
[y]
[3]
save

重做签名/发布。

TLDR; You can control it by deleting or revoking the subkey. Revoking is recommended.

--

This has been discussed in this sonatype issue, for example. Also, it doesn't only impact the UI - I created my keys using gpg4win on windows 7, and command line key generation generated both pub and subkeys:

> gpg --gen-key

> gpg --list-keys

pub   2048R/xxxxxxxx 2014-12-18
uid       
sub   2048R/yyyyyyyy 2014-12-18

Comments say that you have two options:

you will want to delete the sub key, and then sign, deploy again

..

I revoked the key (did not delete it) and that worked as well.

The comments in the issue say that the document was updated regarding instructions, but link no longer works. By using some page caches I was able to salvage the content, which read like this:

Delete a Sub Key

Some PGP tools by default generate a sub signing key and use it for
signing instead of using the primary key. This is a problem if you use
it to sign artifacts and deploy artifacts to the Central Repository,
because Nexus could not get the primary key ID from a signature
produced by sub key, thus it could not import the public key and will
fail to verify the artifact. The fix is to delete the sub signing key
so PGP will use the primary key for signing.

To get an idea weather you have a sub signing key, run command below
with your own key ID:

$ gpg --edit-key A6BAB25C

gpg (GnuPG/MacGPG2) 2.0.17; Copyright (C) 2011 Free Software
Foundation, Inc. This is free software: you are free to change and
redistribute it. There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/A6BAB25C  created: 2011-08-31  expires: 2012-06-26  usage: SC
                       trust: ultimate      validity: ultimate
sub  2048R/DD289F64  created: 2011-08-31  expired: 2011-09-30  usage: E
sub  2048R/8738EC86  created: 2011-12-19  expires: 2012-06-16  usage: S
[ultimate] (1). Juven Xu (for testing) <[email protected]>

As you can see from above example, this key has 2 sub keys with ID
DD289F64 and 8738EC86. The output also shows the creation time and
expiration time. What's important here is usage: E stands for
Encryption so sub key DD289F64 is used for encryption only, S stands
for Signing so sub key 8738EC86 is used for Signing only. If a primary
key has a S sub key, it will use it for signing, otherwise itself will
do signing job. So we want to delete the sub key 8738EC86.

First select the sub key we want to delete, since its index is 2
(indices starts with 0), we run command:

gpg> key 2

pub  2048R/A6BAB25C  created: 2011-08-31  expires: 2012-06-26  usage: SC
                       trust: ultimate      validity: ultimate
sub  2048R/DD289F64 created: 2011-08-31  expired: 2011-09-30  usage: E
sub* 2048R/8738EC86 created: 2011-12-19  expires: 2012-06-16  usage: S
[ultimate] (1). Juven Xu (for testing) <[email protected]>

As you can see from the output, the sub key 8738EC86 is marked with *.
Now delete it:

gpg> delkey

Do you really want to delete this key? (y/N) y

pub  2048R/A6BAB25C  created: 2011-08-31  expires: 2012-06-26  usage: SC
                       trust: ultimate      validity: ultimate
sub  2048R/DD289F64  created: 2011-08-31  expired: 2011-09-30  usage: E
[ultimate] (1). Juven Xu (for testing) <[email protected]>

Tip If you've already distributed your public key, it's better to
revoke the sub signing key instead of deleting it, although either way
you can make your primary key as the signing key. See the The GNU
Privacy Handbook for the difference between deleting and revoking. To
revoke a sub key, use gpg> revkey instead of gpg> delkey.

Ya! 8738EC86 is not listed any more, the final step is saving our
change:

gpg> save

That's it! Now you can test the change by signing a file, and then
verify it. The output should contain something like:

gpg: Signature made ************************* using *** key ID
[YOUR-PRIMARY-KEY-ID]

So, for me the practical steps were

gpg --edit-key PRIMARYKEYID
key 1
revkey
[y]
[3]
save

and redoing the sign/release.

回复 原文
~没有更多了~

关于作者

风月客

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文